Data processing agreement
Effective May 2, 2026. Applies when VSync processes personal data on your behalf.
Last updated: May 2, 2026 Effective: May 2, 2026
This Data Processing Agreement ("DPA") applies when VSync (Cache Flow Capital LLC, doing business as VSync) processes personal data on your behalf as part of the Service — specifically, personal data about your vendors, clients, guests, and other individuals whose information you upload to VSync. It is incorporated into and forms part of the Terms of Service.
Under the GDPR and similar laws:
- You are the data controller of this personal data.
- VSync is the data processor acting on your instructions.
This DPA is designed to comply with Article 28 of the GDPR, the UK GDPR, CCPA service provider requirements, and equivalent provisions under US state privacy laws effective as of the date above.
1. Scope and purpose
1.1 This DPA applies to the processing of personal data that you (the controller) submit, upload, or generate within the VSync Service relating to individuals other than yourself — including your event vendors, guests, clients, and their contact personnel.
1.2 VSync will process such personal data only:
- As instructed by you through your use of the Service
- As necessary to provide the Service under the Terms of Service
- As required by applicable law (in which case we will notify you unless prohibited from doing so)
2. Nature and purpose of processing
| Item | Details |
|---|---|
| Subject matter | Event coordination data — vendor contact information, certificates of insurance, event briefs, timelines, messages, check-in records |
| Duration | For the duration of your subscription and the retention periods in the Privacy Policy |
| Nature | Storing, organizing, displaying, transmitting within the platform, generating PDF briefs, sending notifications |
| Purpose | Providing the VSync Service as described in the Terms of Service |
| Types of personal data | Names, email addresses, phone numbers, business addresses, trade/specialty, COI documents, photos (if attached), messages |
| Categories of data subjects | Vendors, venue staff, planning team members, clients (if their data is entered), guests (if check-in or guest list features are used) |
3. Controller instructions
3.1 You instruct VSync to process personal data as configured through your use of the Service. VSync will not process personal data for any purpose outside the scope of those instructions.
3.2 If you instruct VSync to do something that, in VSync's reasonable opinion, would violate applicable law, VSync will notify you and is not obligated to follow that instruction.
4. Confidentiality
VSync will ensure that all personnel with access to personal data processed under this DPA are bound by confidentiality obligations no less protective than those in this DPA. Access to personal data is limited to personnel who need it to perform their job functions.
5. Security
VSync implements and maintains the technical and organizational security measures described in the Privacy Policy (§7). Upon request, VSync will provide additional documentation of those measures.
VSync will notify you without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting data processed under this DPA. The notification will include, to the extent known at the time:
- A description of the nature of the breach
- The categories and approximate number of individuals and records affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach
6. Sub-processors
6.1 You authorize VSync to engage sub-processors to assist in providing the Service. The current sub-processor list is maintained at vsync.events/legal/sub-processors.
6.2 VSync will:
- Notify you at least 14 days before adding or removing a material sub-processor, by email or in-app notice
- Bind each sub-processor to data protection obligations equivalent to those in this DPA
- Remain liable to you for the acts and omissions of each sub-processor
6.3 If you object to a new sub-processor on reasonable grounds relating to data protection, you may notify us at privacy@vsync.events within 14 days of the notification. We will work in good faith to accommodate your objection. If we cannot do so, you may terminate your subscription without penalty, and we will provide a prorated refund for the unused portion of any annual plan.
7. International transfers
VSync is operated from and intended for use in the United States, and processes personal data in the United States. The Service is not offered to or directed at customers or data subjects in the European Economic Area, the United Kingdom, or Switzerland.
If your use of the Service would nonetheless involve a transfer of personal data subject to EU, UK, or Swiss data-protection law, contact privacy@vsync.events to put an appropriate transfer mechanism — such as the EU Standard Contractual Clauses (Controller-to-Processor, Module 2) or the UK International Data Transfer Agreement — in place before such data is uploaded. Absent a separately executed agreement, VSync does not warrant a standing transfer mechanism for such data.
8. Data subject rights
VSync will provide you with reasonable assistance — including through technical measures where appropriate — to respond to data subject rights requests (access, deletion, correction, portability, restriction) received from individuals whose data you have uploaded to VSync.
If VSync receives a data subject rights request directly relating to data you control, we will redirect the individual to you and notify you within 5 business days.
9. Data protection impact assessments
VSync will provide reasonable cooperation and information to assist you in conducting any data protection impact assessments (DPIAs) required under applicable law relating to your use of the Service.
10. Audit rights
Upon your reasonable written request (no more than once per calendar year, unless a security incident has occurred), VSync will provide documentation demonstrating compliance with this DPA, including the results of any third-party audits or certifications we hold.
If you require a more extensive audit, the parties will agree on scope and cost in advance. Any such audit must be conducted with reasonable notice, during business hours, and in a manner that does not unreasonably disrupt VSync's operations.
11. Deletion and return of data
Upon termination of your subscription, or upon written request, VSync will — at your election — delete or return your personal data within the timeframes described in the Privacy Policy (§5), except where retention is required by applicable law.
Confirmation of deletion will be provided in writing upon request.
12. CCPA service provider terms
For purposes of the CCPA/CPRA: VSync is a "service provider." VSync certifies that it will not:
- Sell or share personal data received from you under this DPA
- Retain, use, or disclose personal data for any commercial purpose other than providing the Service
- Retain, use, or disclose personal data outside the direct business relationship between VSync and you
- Combine personal data received from you with personal information received from other sources, except as permitted by the CCPA/CPRA
13. Governing law
This DPA is governed by the same law as the Terms of Service (Florida). For EU/UK data subjects, the EU SCCs and/or UK IDTA supplement and, in case of conflict regarding data protection obligations, take precedence over this DPA.
14. Order of precedence
In the event of any conflict between this DPA and the Terms of Service with respect to the subject matter of this DPA (processing of personal data), this DPA will control.
15. Contact and signed copies
For questions about this DPA, or to request a countersigned copy for your records, contact privacy@vsync.events.
Enterprise and Unlimited customers may request a mutually executed DPA with a VSync officer signature by contacting their account lead.
This DPA is effective upon your acceptance of the Terms of Service and does not require a separate signature to be binding, except where your organization requires a countersigned copy for compliance purposes.